[IMC-Tech] Image file uploads allow client side code injection in Internet Explorer 6.x, was: your IRC message
lee azzarello
a3ulafia at gmail.com
Sat Dec 3 09:58:37 PST 2005
On 11/30/05, Alster <alster at indymedia.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> As M$ does not currently seem to plan to address this issue, web
> application developers who are concerned about the security of their web
> application when used by users running M$ IE, need to address this
> issue on their own. This is possible by matching the file extension to
> the file header or even better the overall content of the file which is
> being uploaded.
I remember something like this from long ago. There was a bug in M$'s
GDI graphics library that effected all Windows components and 3rd
party apps that called it. It sounds like this is related to the issue
here, no?
http://www.microsoft.com/technet/security/bulletin/ms05-053.mspx
-lee
More information about the imc-tech
mailing list